Pages

Friday, 27 October 2017

Bad Rabbit Ransomware or Evolution of NotPetya

BadRabbit launched on the morning of Tuesday, October 24, 2017 was delivered through drive-by downloads of the fake Adobe Flash Player installer from the hacked websites. The installer came undetected with a Symantec digital certificate and 1 out of 65 detection rate on VirusTotal. The Bad Rabbit ransomware having the similar set of features and code snippets to the NotPetya wiper can be considered like its new version supposedly created by the same author. In the new version, the legitimate DiskCryptor driver used to install the bootloader and encrypt the hard disk volumes in a hidden way.

Main outcomes:

The BadRabbit is a new version of NotPetya, supposedly written by the same author;

It's a cryptolocker - you can unlock the computer and decrypt the data only by paying 0.05 BTC;

This is not a targeted attack, unlike NotPetya

The BadRabbit is distributed over the local network using the EternalRomance vulnerability in SMB1, WMI, WebDAV, brute-force with simple passwords through NTLMSSP

The BadRabbit uses the legitimate DiskCryptor driver

Read the full report for more details.

Installation

The installer’s description says it is an Adobe Flash Player Installer/Uninstaller (MD5: fbbdc39af1139aebba4da004475e8839).

The dropper has a valid certificate from Symantec but the wrong signature.

The following files are dropped:

cscc.dat (32-bit MD5: edb72f4a46c39452d1a5414f7d26454a, 64-bit MD5: B4E6D97DAFD9224ED9A547D52C26CE02) - the legitimate DiskCryptor driver used for the disk encryption (diskcryptor.net) by the manager dispci.exe. It is installed as a service named cscc’

Infpub.dat (MD5: 1d724f95c61f1055f0d02c2154bbccd3) - the DLL is responsible for file encryption and network propagation (the code based on the NotPetya’s ‘perfc.dat’ payload)

Mimikatz (32 bit MD5: 37945c44a897aa42a66adcab68f560e0, 64 bit MD5: 347AC3B6B791054DE3E5720A7144A977) - is dropped as a .tmp file in the Windows folder and used to harvest logins and passwords through the named pipe to BadRabbit similar to NotPetya. Mimikatz is sent the name of the pipe as a parameter:

C:\Windows\<RND>.tmp \\.\pipe\{GUID}

The BadRabbit will not start if the ‘cscc.dat’ file is in the Windows folder.

Tо start encrypting files, the dropper loads the dropped dll in the similar way as NotPetya was executed by the MEDoc backdoor (“C:\Windows\system32\rundll32.exe C:\Windows\perfc.dat,#1 30”):

“C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15”

Scheduling tasks

BadRabbit schedule a system reboot in several minutes.

C:\WINDOWS\system32\shutdown.exe /r /t 0 /f

On reboot, it starts the payload in the console under the ‘SYSTEM’ account as follows:

Conclusion

Based on the analysis above, we can state with high confidence that the Bad Rabbit’s ‘infpub.dat’ module is based on NotPetya source code and is a new version of it. Consequently, the Bad Rabbit ransomware is written by the same author who is financially driven in the current attack. Based on the geographical diversity of the victims reported by Kaspersky Lab, we can suggest that it is not a nation-state attack. However, in the future, we can expect a new version, which can be used to attack the critical infrastructure of some state.